Cloud Computing: What Accountants Need to Know

There’s
no arguing that “cloud computing” is gaining a great deal of
momentum. Worldwide, cloud services revenue is forecast to reach
$68.3 billion in 2010, a 16.6% increase from 2009 revenue of $58.6
billion, according to analyst firm Gartner Inc. So what does this
mean to the accounting profession? What are the benefits and risks?
Who are the vendors in the proverbial sky, and how do you know you
can trust them with your data—or your clients’ data, for that matter?

This
article answers some of those questions and explains the history and
future of the cloud.

The
easiest way to think about cloud computing is as doing business on
the Web, therefore eliminating the need for in-house technology
infrastructure—servers and software to purchase, run and maintain.
Unlike traditional software, which is distributed and deployed
on-premise, cloud applications are designed for Web deployment. They
are multitenant (delivered by one vendor to many customers), and
users share processing power and space that is managed by the vendor.

Terms
including “Software-as-a-Service,” or SaaS, and application service
provider (ASP) often are connected to cloud computing in
presentations and articles, but there are subtle differences between
them. (For an explanation, see the “Definitions” box accompanying
this article.) The types of applications available run the
gamut—from tax software to payroll to full enterprise resource
planning (ERP) systems—and most often are leased on a subscription
model instead of purchasing licenses.

DOING BUSINESS IN THE CLOUD

Is it
worth making the switch? Vendors and analysts point to several
benefits to switching to a cloud environment.

Quick
implementation process. Most
vendors claim their applications can be up and running in a few
minutes because there is no software to install. The implementation
process also is easier for companies with multiple locations or
remote workers to all have access to the same version of the
application simultaneously.

Anytime
access from anywhere with an Internet connection, which
again includes the ability for employees to work remotely.

Lower
upfront costs. Instead
of paying a license fee and for annual maintenance, most models
allow users to pay as they go (usually monthly, though some require
annual contracts). They can pay per user and easily add more users.
Vendors can offer their products at a lower cost in this situation
because their systems are built to allow several customers to share
infrastructure (both servers and storage areas) in a way that is
transparent to users and does not allow those customers access to
each other’s data. It may be difficult to conduct a cost comparison
of doing business on-premise versus in the cloud unless a company
has moved all its business off-premise. Some companies may outsource
services such as their e-mail and/or infrastructure support, but
still manage their core applications. That being said, realize that
the upfront costs include the cost of hardware and IT employees that
no longer need to be in-house.

Little
or no hardware or maintenance costs. The
vendor takes responsibility for maintaining the software and
servers. This is where things can get tricky. If people who are
evaluating the return on investment of switching from on-premise to
cloud products by comparing what they are spending now to what they
will be spending if they switch, it’s not really comparing apples to
apples, said Gregory LaFollette, CPA/CITP, a senior manager with
Eide Bailly LLP and consultant to accounting firms and vendors. In
an on-premise environment, the customer pays for the hardware,
storage space and IT personnel to maintain the system in addition to
the software. In a cloud environment, the vendor fronts those costs,
so a larger percentage of the total cost of ownership by the
customer shifts away from hardware and people and toward software.
Some industry analysts estimate the break-even point of leasing
versus buying the software at about three years.

In
general, doing business in the cloud should cost less than doing
business on-premise, says Donny C. Shimamoto, CPA/CITP, founder and
managing director of consulting company Intraprise TechKnowlogies.
He suggests analyzing whether to make the switch as a three-year
amortization of upfront costs for an on-premise application
including servers, software licenses and installation plus estimated
maintenance for three years and comparing that to the cost of
subscribing to the cloud version of the product for three years.
This can be applied to partial versus full cloud conversions and
should be done on an application-by-application basis to determine
whether there is cost savings by moving each application to the
cloud. He said factors to consider include:

Reduced
support costs. Rather
than having to employ in-house experts for product support, the
vendor typically provides support directly for the
customer.

Reallocation
of resources. IT
staff can be reallocated for more strategic projects, rather
than spending time on system upgrades and
maintenance.

Easier
and more regular upgrades. Vendors
can regularly tweak their products. In many cases, those
enhancements are made automatically in the background without
disrupting the customer’s work. Most vendors provide advance
notice to alert customers about the changes and give them the
option of when to turn new features on or off, if they don’t
like them or aren’t ready to upgrade.

Disaster
recovery and backup capabilities. One
of the costs incurred by customers who keep their data
on-premise is backing up their data, typically via tape or by
contracting a third-party backup provider. This is another area
covered by the vendor in a cloud environment. Often vendors have
redundant backup systems so that customer data is replicated in
a separate data center in case of fire, flood or other disaster.
The infrastructure is “self-healing” so that when a failure
occurs and the backup becomes the primary source of information,
the system launches a new backup instance of the data,
LaFollette explains.

SECURITY AND RELIABILITY CONSIDERATIONS

With
all this sharing of storage space in the “sky,” one of the biggest
concerns expressed by those considering switching over to cloud
applications is the safety of their data and their clients’ data.
It’s a concern cloud vendors have been fighting to overcome for
years. How can you know the data is safe?

First
and foremost, make sure the vendor uses a data center that has
received an AICPA Service Organization Controls Report (SOC),
formerly known as a SAS 70 report. For purposes of this article, a
vendor is considered the user, and the data center is the service
organization. The AICPA developed the guidance to provide a highly
specialized examination of a service organization’s internal
control. There are three types of SOC reports:

AICPA
SOC 1: Report
on Controls at a Service Organization Relevant to User Entities’
Internal Control over Financial Reporting. These reports,
prepared in accordance with Statement on Standards for
Attestation Engagements (SSAE) no. 16, Reporting on Controls
at a Service Organization, are specifically intended to
meet the needs of user entities’ management and their auditors,
as they evaluate the effect of the controls at the service
organization on the user entities’ financial statement
assertions.

AICPA
SOC 2: Report
on Controls at a Service Organization Relevant to Security,Availability, Processing Integrity,
Confidentiality and/or Privacy. These reports, prepared using
the AICPA guide Reports on Controls at a Service Organization
over Security, Availability, Processing Integrity,
Confidentiality, or Privacy (currently under development),
are intended for users that have a thorough understanding of the
service organization and its internal controls. These reports
can form an important part of the users’ oversight of the
service organization; vendor management; and internal corporate
governance and risk management.

AICPA
SOC 3: Trust
Services Report (Trust Services Principles, Criteria, and
Illustrations) (AICPA, Technical Practice Aids, vol.
1, (TPA sec. 100) commonly referred to as SysTrust reports).
These reports are designed to meet the needs of users who want
assurance on the controls at a service organization related to
security, availability, processing integrity, confidentiality,
or privacy but do not need the level of detail provided in a SOC
2 Report. These reports are general use reports and can be
freely distributed or posted on a website as a seal.

A
vendor that undergoes such an examination is stringently evaluated
on its controls over the system or service it provides to user
entities. The controls address the components of a system which include:

Infrastructure. The
physical and hardware components of a system (facilities,
equipment and networks).

Software. The
programs and operating software of a system (systems,
applications and utilities).

People. The
personnel involved in the operation and use of a system
(developers, operators, users and managers).

Procedures. The
programmed and manual procedures involved in the operation of a
system (automated and manual).

Data. The
information used and supported by a system (transaction streams,
files, databases and tables).

As a
result of these engagements, vendors receive a comprehensive audit
report that includes a description of the system prepared by the
service organization, the suitability of the design of the controls
for an AICPA SOC 1 or SOC 2 report in a type 1 engagement, and in a
type 2 engagement, the operating effectiveness of the controls over
the system.

LaFollette
suggests asking vendors for a copy of their SOC 2 report, if
unrestricted, and/or their SOC 3 report.

Best
practices also include using a third-party monitor, such as McAfee
Secure or Comodo HackerGuardian, to test the security of the
vendor’s Web applications on a daily basis. Look for that logo and
the date-tested stamp on the vendor’s site.

Another
important consideration is unscheduled downtime and how easily
customers can access their own data. There’s a concept of “five 9s”
in the cloud world, which relates to “uptime,” or how often the
system will be accessible by users—99.999% uptime, which amounts to
5.26 minutes of total unscheduled downtime per year. This does not
include scheduled downtime, which many vendors say they set
during weekends or overnight to limit interruptions to users. This
is often guaranteed as part of service-level agreements and,
depending on the contracts, customers could be credited if the
guaranteed performance is not met. The percentage of uptime has
continued to climb over the years as providers place continued
importance on this factor as a selling point (or deterrent) based on
public perception. Some vendors are starting to say “no nines,”
meaning their systems are never down, but LaFollette points
out that most internal office networks don’t even come near “five
9s” of unscheduled downtime in a year.

Of
course, the cause of downtime can lie with the customers if they
don’t have ample bandwidth or any Internet access, since access to
data is driven by a company’s ability to access the Web.

Jim
Bourke, CPA/CITP, partner in charge of technology at
WithumSmith+Brown, compared the amount of bandwidth necessary when
moving from on-premise to a cloud environment as upgrading from a
garden hose to a fire hose. You will need a big, wide open pipe to
ensure reliable access to your data and applications around the
clock. While the specifics will vary depending on the applications
you use, the point is that the more of your business you do in the
cloud, the more important it becomes to make sure your Internet
connectivity is reliable.

Bourke
recommends choosing an Internet service provider that provides the
largest amount of affordable bandwidth in your area. Prices vary
tremendously across the country, but $100 to $200 a month is well
worth it for reliable access, he says. On top of that, whichever
company you choose, also consider paying for a secondary or backup provider.

Many
CPA firms choose telephone companies as both their primary and
secondary providers, which is OK as long as they aren’t the same
one, or even related. But choosing a cable company as a secondary
may be a better choice and may even provide faster speeds, Bourke says.

Another
obvious issue of concern is around data ownership and migration.
What happens to your data if you switch vendors or a vendor goes out
of business? Think of this the same way you would with online photo
storage and sharing companies. Can you get those photos back if you
want to? Be sure to ask vendors about their exit strategies and how
much it may cost you if you choose to take your data elsewhere.
Transferring data from one system to another is rarely easy. Also,
will the vendor help you migrate your data to them from your current applications?

WHERE WILL IT GO FROM HERE?

Because
there are so many Web-based applications, it’s likely that most
accountants have at least a small percentage of their data in the
cloud even if they don’t realize it. It’s just a matter of when they
will switch completely. LaFollette predicts that will happen in five
years, adding that in 10 years there will be almost no premise-based software.

A
recent survey of more than 1,000 accounting firms by CPA2Biz, the
AICPA’s marketing arm, found that 70% of respondents plan to
increase their use of Web-based applications in the next six to 18
months. (CPA2Biz has partnered with several cloud vendors as part of
its “Trusted Business Advisor Program.” They include Bill.com,
Capital Confirmation, Copanion, Intacct, Paychex and XCM Solutions.
See the “Vendors” sidebar for a list of other cloud vendors.)

The
cloud services industry is poised for strong growth through 2014,
when worldwide cloud services revenue is projected to reach $148.8
billion, with the financial services and manufacturing industries
being the largest early adopters of cloud services, Gartner reported.

“There’s
a transition period. Right now we’ve got one foot on the boat and
one foot on the dock, and it’s difficult to get stretched. At some
point you have to let go and go one way or the other,” LaFollette
said. “How do you go from Point A to Point B? When do you make that
leap? There’s no one right answer. My advice is to look at some of
the things out there right now and see what you can start using. If
I were going into practice today, everything I did would be
cloud-based immediately.”

Definitions

People
often associate cloud computing with Software-as-a-Service (SaaS)
or the application service provider (ASP) model. There are subtle
differences, however. While some vendors describe the terms
differently, the following brief explanations were provided by
Gregory LaFollette, CPA/CITP, a consultant to accounting firms and
vendors:

What
Is SaaS?

Generally
speaking, SaaS is developed and hosted by the SaaS vendor, and the
end-user accesses it over the Internet. Unlike traditional
packaged applications that users install on their computers or
servers, the SaaS vendor owns the software and runs it on
computers in its data center. The customer does not buy the
software but rather rents it, for a periodic fee, typically
monthly. SaaS products are multitenant-based (many users access
the same software at any given time) and generally unavailable in
a traditional “premise-based” form.

How
Is SaaS Different From an ASP? SaaS
evolved from the application service provider (ASP) model. When
ASPs were first offered in the early 1990s, they offered
essentially the same thing SaaS vendors offer today: hosted
applications delivered over the Internet. The difference is
generally agreed as being in the development process (SaaS is
built from the ground up to be multitenant).

Vendors in the Cloud

An
increasing number of applications that accountants and their
clients need to conduct business are available in the cloud.
These include, but are not limited to, bill management,
enterprise resource planning (ERP) applications, payroll, sales
tax, tax preparation and workflow.

CCH,
Intuit and Thomson Reuters all released Web-based versions of
their tax preparation applications last year. Executives from
all three companies stressed their commitment to bringing more
of their applications to the cloud moving forward. (See “Vendors Get SaaSy” on the
Sept. 21, 2009, AICPA CPA Insider e-newsletter.)

CPAs
don’t need to be aware of every cloud application that exists,
but they do need to be aware of some of the options, especially
for the types of applications specific to the profession.
Following is a partial list of vendors and products in the tax
and accounting space:

Audit
Confirmation

Capital
Confirmation

Bill
Management and Payment for Businesses

Bill.com

Billing
Boss/Payment Boss (SageSpark)

Customer
Relationship Management (CRM)

NetSuite

SageCRM.com

SalesForce.com

Document
Management

CNG
Online (Cabinet NG)

GoFileRoom
(Thomson Reuters)

SmartVault

ERP

Intacct

NetSuite

QuickBooks
Online

Financial
Statements

BlackLine
Systems

ProfitCents
(Sageworks)

Payroll

Intuit
Online Payroll (formerly Paycycle)

Paychex

Payroll
CS (Thomson Reuters)

SurePayroll

Sales
and Use Tax

Avalara

SpeedTax

Suites

AccountantsWorld

ProSystem
fx Suite: Software as a Service (CCH)

SaaS
for CS Professional

Suite
(Thomson Reuters)

SAP
Business ByDesgin

Thomson
Reuters Virtual Office

Tax

GoSystem
Tax RS (Thomson Reuters)

Intuit
ProLine Tax Online

Orange
Door

ProSystem
fx Tax—The Next Generation (SaaS Version) (CCH)

Workflow

GruntWorx
(Copanion)

FirmFlow
(Thomson Reuters)

ProSystem
fx Workstream (CCH)

SurePrep

XCM
Solutions

EXECUTIVE SUMMARY

An increasing number of applications that accountants and
their clients need to conduct business are available in
the cloud. These
include, but are not limited to, bill management, enterprise
resource planning applications, payroll, sales tax, tax
preparation and workflow.

Worldwide, revenue from “cloud computing” services is
forecast to reach $68.3 billion in 2010, according to
analyst firm Gartner Inc.

The cloud services industry is poised for strong growth
through 2014, when
worldwide cloud services revenue is projected to reach
$148.8 billion, with the financial services and
manufacturing industries being the largest early adopters of
cloud services.

Benefits of working in the cloud include quick
implementation, anytime access, lower upfront and
maintenance costs, and easier and more frequent
updates.

Security and reliability remain top concerns for
CPAs switching to a cloud environment. There are several
questions you should ask a potential vendor before making an
investment in their products to ensure these concerns are
minimized.

TAX NEWS

President Barack Obama signed legislation that retroactively extended more than 50 expired tax provisions for 2014, allowing taxpayers to take advantage of a host of tax incentives during this filing season.

A weekly snapshot of global accounting with news from the Journal of Accountancy and other leading accounting publications. It includes summaries of what matters to you, written by expert editors to save you time and keep you informed and prepared.